Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan [winkiller, Etc] - Sdfix Log


  • Please log in to reply
2 replies to this topic

#1 daitheflu135

daitheflu135

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 22 February 2008 - 01:28 PM

SDFix: Version 1.144

Run by Ryan on Fri 02/22/2008 at 01:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 13:15:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000003c
"TracesSuccessful"=dword:0000000e
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions]
"\24%`%W%d"c%l%"="\x2502\x2557 \x2500\x2500\x253c\x2550"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1125116353\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125116353\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\i2hub\\i2hub.exe"="C:\\Program Files\\i2hub\\i2hub.exe:*:Enabled:i2hub"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Autodesk\\VIZ2008\\3dsviz.exe"="C:\\Program Files\\Autodesk\\VIZ2008\\3dsviz.exe:*:Enabled:Autodesk VIZ 2008"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1125116353\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125116353\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files:



Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 15 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Mon 22 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 22 Aug 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT3.tmp"
Mon 22 Aug 2005 4,348 ...H. --- "C:\Documents and Settings\Ryan\My Documents\My Music\License Backup\drmv1key.bak"
Mon 22 Aug 2005 401 A..H. --- "C:\Documents and Settings\Ryan\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 22 Aug 2005 312 A.SH. --- "C:\Documents and Settings\Ryan\My Documents\My Music\License Backup\drmv2key.bak"
Mon 21 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 21 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Tue 29 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Tue 29 Mar 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

BC AdBot (Login to Remove)

 


#2 daitheflu135

daitheflu135
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 22 February 2008 - 01:34 PM

And here is SmitfraudFix:

SmitFraudFix v2.294

Scan done at 13:32:13.37, Fri 02/22/2008
Run from C:\Documents and Settings\Ryan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Autodesk\VIZ2008\mentalray\satellite\raysat_VIZ2008_32server.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Ryan


C:\Documents and Settings\Ryan\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\ryan\FAVORI~1

C:\DOCUME~1\ryan\FAVORI~1\Online Security Test.url FOUND !

Desktop


C:\Program Files

C:\Program Files\NetProject\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.73.242
DNS Server Search Order: 68.87.71.226

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0E0BC0C0-C257-4E71-AAE8-ABBDA9CFC518}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0E0BC0C0-C257-4E71-AAE8-ABBDA9CFC518}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0E0BC0C0-C257-4E71-AAE8-ABBDA9CFC518}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226


Scanning for wininet.dll infection


End

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:29 AM

Posted 10 March 2008 - 11:53 AM

Would be more helpful if we had a hijackthis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users